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REMARKS 

Claims 1-20 remain pending in the application. Claims 1-20 stand rejected, with 
claim 18 additionally objected to. Claim 18 is amended in response to the Examiner's 
rejection and objections. Additionally, claims 4, 1 1, 13, 14, 17 and 19 are amended for 
editorial clarity. No new matter is added to the claims with these amendments. 

1. Claim Objections 

The Examiner objected to claim 18, specifically stating that claim 18 is not in the 
form of a single sentence and contains obvious typographical errors such as duplicate text. 
Accordingly, Applicants have amended claim 1 8 such that the claim reads as a complete 
sentence, pursuant to Patent Rule §1.75, and additionally to correct typographical errors and 
eliminate duplicate text. Given these amendments and the arguments laid out herein below, 
Applicants respectfully request withdrawal of the objection to and rejection of claim 18, and 
allowance of the claim. 

2. Claim Rejections - 35 USC § 103 

The following is a quotation from the MPEP setting forth the three basic criteria that 
must be met to establish a prima facie case of obviousness. 

To establish a prima facie case of obviousness, three basic criteria 
must be met. First, there must be some suggestion or motivation, either 
in the references themselves or in the knowledge generally available to 
one of ordinary skill in the art, to modify the references or to combine 
reference teachings. Second, there must be a reasonable expectation of 
success. Finally, the prior art reference (or references when combined) 
must teach or suggest all the claim limitations. MPEP, §2142, citing In 
re Vaeck, 947 F.2d 488, 20 USPQ2d 1438 (Fed. Cir. 1991). 

3. Claims 1-20 stand rejected under 35 USC §103 over CyberCop Scanner by 
Network Associates as described in the Info World article entitled " Test Center Comparison " 
(hereinafter, "CyberCop") in view of Info World article entitled "The Ins and Outs of a 
Network Security Audit" (hereinafter, "Security Audit"). Applicants respectfully disagree 
and traverse the rejection since, among other reasons, CyberCop is not prior art to the 
inventions of claims 1-20. 
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In the Office Action of 1 1/05/2003, the Examiner states that "CyberCop discloses the 
instant invention essentially as claimed with the exception that CyberCop does not specify 
generating a configuration baseline or a file system database for use in other utility 
functions"(page 2), but that "Security Audit discloses.. . that network audit results should be 
stored for comparison to future audits"(page 3). The Examiner therefore contends that claims 
1 -20 are unpatentable over CyberCop in view of Security Audit. However, CyberCop, with 
an effective date of February 8, 1999, is not prior art to the present application, which is a 
Continuation of U.S. Serial No. 09/333,547, which claims priority of provisional application 
number 60/091,270, filed 15 June 1998 (hereinafter, "the provisional application"). Support 
for each of claims 1 -20 is found throughout the provisional application, including but not 
limited to those locations detailed herein below. 

Provisional application no. 60/091,270 (referenced herein) was filed without page 
numbering. Therefore, for the Examiner's convenience, Applicants have applied page 
numbering to the provisional, and submit herewith an Appendix A consisting of those pages 
cited in this Response. 

Support for Independent Claims 

Claim 1 

The elements of claim 1 (shown in italics and within quotation marks) are supported 
in the following sections of the provisional application, among others: 

• "a security system for a computer apparatus, wherein said computer 
apparatus includes a processor and system memory" is supported, for 
example, in the first paragraph on page 44 (page entitled "DMW Introduces 
HostCHECK for UNIX Advanced Security Tool Set"). Such a UNIX system 
has a processor and system memory. Further support is found throughout 
page 65 (page entitled . .to protect: HostCHECK powers your company for 
e-business with a suite of nine security tools integrated into one easy-to-use 
program"). 

• the security system comprising "at least one security module which under 
direction from the processor accesses and analyzes selected portions of the 
computer apparatus to identify vulnerabilities " is supported in the second and 
third paragraphs on page 45 (page entitled "DMW Introduces HostCHECK 
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(Page 2 of 3))", and from the last paragraph of page 5 1 to the end of page 52, 
in the section entitled "Nine Security Modules", 

• the security system comprising "at least one utility module which under the 
direction from the processor, performs various utility functions with regards 
to the computer apparatus in response to the identified vulnerabilities" is 

^ supported on page 63, third paragraph; in the first paragraph of the first 

column of page 67,in the pie chart found on page 70 of the provisional 
application, and in the first paragraph on page 110, under the subheading 
"Highest Level Component Interaction" 

• the security system comprising (i a security system memory which contains 
security information for performing the analysis of the computer apparatus " is 
supported, for example, on page 63, in the paragraph entitled "Immediate 
Security Improvements", and in the description of the DMW Vulnerability 
Database found on page 97. 

Claim 1 1 

Support for the elements of claim 1 1 (shown in italics and within quotation marks) 
may be found in the following sections of the provisional application, among others. 

• "A method of providing a security assessment for a computer system which 
includes a system memory " is supported throughout the provisional 
application, for example in the last paragraph on page 44 through the final 
bullet point, page 45, and throughout page 65 (page entitled "...to protect: 
HostCHECK powers your company for e-business with a suite of nine security 
tools integrated into one easy-to-use program"). 

• the step of "providing a security subsystem in the computer system such that 
functionality of the security subsystem is directed through a processor for the 
computer system " is supported throughout the provisional application, for 
example, in the figures shown on pages 110, 112, 115, 116, and on pages 117- 
1 18, in the paragraphs following the heading "Subsystem Diagrams". 

• the security performing the step of "identifying a configuration of the system " 
is supported in first paragraph (entitled "Configuration Check") of the second 
column on page 65, in the first bullet point on page 70, and on page 1 1 1 (also 
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identified as page 13 of the Functional Description for HOSTCHECK 2.0), 
under the heading "Configuration Detection System". 

• the security performing the step of "accessing the system memory" is 
supported at least in the paragraphs in the subsection entitled "Directory 
Check Locates Security Flaws and Prompts Auto Correction", page 53, and on 
page 111, under the subheading "Directory Scanner". 

• the security further "performing at least one procedure to provide a security 
assessment for at least one aspect of the computer system " is supported in the 
second and third paragraphs on page 45 (page entitled "DMW Introduces 
HostCHECK (Page 2 of 3))"; from the last paragraph of page 5 1 to the end of 
page 52, in the section entitled "Nine Security Modules", and in the second 
paragraph under the subheading :Highest Level Component Interaction", page 
110. 

• "as a result of any vulnerabilities discovered in the assessment, identifying 
corrective measures to be taken with regards to the computer system " as a 
result of vulnerabilities discovered is supported in the third bullet point on 
page 45 and in the third bullet point on page 76 of the provisional application. 

• "reporting the discovered vulnerability and the identified corrective 
measures " is supported, for example, by the third through sixth bullet points 
on page 89; in the last two paragraphs on page 45, under "Intelligent 
Monitoring and Reporting", and in the section entitled "Usable Reports", 
middle of page 5 1 . 

• support for the security performing a step comprising "upon receiving an 
appropriate command, initiating the corrective measures " is found on page 49 
and in the last paragraph on page 63 (under "Immediate Security 
Improvements") of the provisional application 

Support for Dependent Claims 

Claims 2-10 and 12-20 depend from independent base claims 1 and 1 1 (respectively), 
and therefore receive like benefit of support from the provisional application. The 
provisional further supports the features of dependent claims 2-10 and 1 1-20 (shown in italics 
and within quotation marks) as exemplified below: 
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Claim 2 

Support for the security system "including at least one graphical user interface in 
connection with the computer apparatus through which a system user may direct operations 
of the security system is shown in the screens exemplified throughout the provisional, for 
example, on pages 48, 49, 74, 93 and 95, and further on page 51, second paragraph (Section 
entitled "A Friendly GUI"). 

Claim 3 

Support for the security system "including a reporting module which provides status 
information to the GUI with regards to operations of the security system " is found in the 
paragraph on page 127, and in the paragraph entitled "A Friendly GUP' on page 51 of the 
provisional application. 

Claim 4 

Support for the security modules including at least one of: 

• (( a configuration/system module which performs an initial analysis of the 
computer system to acquire configuration information " is found in the first 
paragraph on page 45, and in first paragraph (entitled "Configuration Check") 
of the second column on page 65, and in the six paragraphs under the 
subheading "Configuration Detection Systems", page 111; 

• "a directory checking module which analyzes directories and files in the 
system memory to determine if security critical files have been tampered with " 
is found in the description of "Directory Check" on pages 53; 65 (first 
column), and 73-74, and in the description of "Directory Scanner", page 112; 

• "a user manager module which analyzes the system memory with regards to 
improper or invalid permissions given to users of the system for accessing 
particular files'' is shown in the descriptions of "User Manager" and "User 
Check", covered in the first and second paragraphs on page 56, respectively, 
and further under the subsection "User Manager", page 115; 

• "an integrity checking module which analyzes files in the system memory to 
identify system vulnerabilities " is found in the descriptions of "Integrity 
Check", page 55, and "Integrity Checker", page 1 14; 

• "a network checking module which analyzes the computer apparatus to 
identify vulnerabilities created as a result of the computer apparatus 
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connecting with a data network 3 ' is found, for example, in the description of 
"Network Check" on page 59, first paragraph, and in the first paragraph on 
page 116, under the subheading "Network Manager"; and 

• (( a password checking module which analyzes passwords for users of the 
computer apparatus to identify vulnerabilities " is found from the final 
paragraph on page 56 through the sixth paragraph on page 57, and under 
"Integrity Checker", page 1 1 4 of the provisional application 

Claim 5 

The utility modules including at least one of: 

• a " user manager module including functionality to create a user account, 
modify the user account, delete the user account, create a user template, edit 
the user template, and delete the user template" is supported on page 1 06 in 
the bullet points found under the subheading "User Management Functions"; 
page 115, under the subheading "User Manager"; and in the "Appendix A— 
Alphabetized Function List" beginning on page 216, specifically, in the fourth 
and 33 rd functions on page 216, and in the third function on page 217. 
Additional support is found on page 228 of the application (corresponding to 
page B-8 of the "Appendix B~ Directory Structure Contents"). 

• "a file removal module which deletes selected files from the system memory 
and removes links to the deleted file" is supported on page 57, last paragraph 
entitled "RemovelT", and on pages 86 and 87 of the provisional application. 

• "a file marking module which marks selected files " is supported in the 
description and screen printout of the "MarkIT" feature, found on pages 92 
and 93 of the provisional application. 

• "a scheduling module which may be employed to schedule any and all of the 
security modules to perform analysis of the system memory" is supported on 
pages 94-95 and on page 59 of the provisional application, in the third 
paragraph describing "Schedule IT". 

Claim 6 

" ...the computer apparatus comprising a Unix server" is supported on pages 44-48 of 
the provisional application, in the article entitled "DMW Introduces HostCHECK for UNIX 
Advanced Security Tool Set". 
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Claim7 

"The security system of claim 6 wherein the server is connected to a data network" is 
supported at least on page 60, third paragraph, and on page 63 , final paragraph. 

Claim 8 

"a plurality of interface screens " being "presented at the GUI for controlling 
operations of the security system " is found at page 51 , second paragraph; on page 127, and in 
the depiction of various interface screens on pages 48, 49, 74, 93 and 95. 

Claim 9 

Support for the system memory comprising "a list of known vulnerabilities which 
may be employed by the integrity checking module " is found at least on page 55, final 
paragraph, and in the diagram shown on page 1 15 of the provisional application. 

Claim 10 

Support for the system memory comprising "dictionaries and other tools employed by 
the password checking module " is found in the third bullet point describing "CrackIT" on 
page 83, and in the final bullet point under "Password Cracker" on page 1 13 of the 
provisional application. 

Claim 12 

The elements of claim 12 are supported throughout the provisional application as 
exemplified below: 

• support for "performing an analysis of the directories and files in the system 
memory to determine if security critical files have been tampered with " is 
found on page 58, final two paragraphs; in the first paragraph, first column of 
page 65; in the third bullet point describing "Directory Check" on page 73, 
and under the section "Directory Scanner" on page 1 12 of the provisional 
application. 

• "analyzing the system memory with regards to improper or invalid permission 
given to users of the system for accessing particular file " is supported, for 
example, in the first and fourth bullet points of the description of "Directory 
Check", page 7; in the description of "Permissions Check", page 75, and under 
"User Manger", page 115. 
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• support for "analyzing the system memory to identify system vulnerabilities " 
is found throughout the provisional, for example, in the final paragraph on 
page 44, under the subheading "Elements of Improved Security", and on page 
1 14 under "Integrity Checker". 

• "analyzing the computer apparatus to identify vulnerabilities created as a 
result of the computer apparatus connecting to a data network" is supported 
in the description of "Network Check" on page 59, first paragraph, and in the 
first paragraph on page 1 16, under the subheading "Network Manager". 

• support for "analyzing passwords for users of the computer apparatus to 
identify vulnerabilities " is found in the first through sixth paragraphs on page 
57, and under "Password Cracker, page 1 13 of the provisional application. 

Claim 13 

Support for the elements of claim 1 3 are found at least in the sections of the 
provisional application identified below: 

• support for "amending, deleting or creating user account " based on identified 
vulnerabilities is found on page 106 in the bullet points found under the 
subheading "User Management Functions"; on page 115, under the 
subheading "User Manager"; and in the "Appendix A— Alphabetized Function 
List" beginning on page 216, specifically, in the fourth and 33 rd functions on 
page 216, and in the third function on page 217. 

• support for "amending, deleting, or creating user templates " is found in the 
sections cited in the above bullet point, and additionally on page 228 of the 
application (which corresponds to page B-8 of the "Appendix B-- Directory 
Structure Contents"). 

• "deleting selected files from the system memory and removing links to said 
file" is supported in the descriptions of "RemovelT" (page 57), "WipelT" 
(page 1 16), and "Secure File Wipe" (pages 125-126). 

• "marking of selected files within the system memory" is supported, for 
example, in the section entitled "Mark/Unmark Subsystem", found on page 
1 87 of the provisional application. 
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Claim 14 

Support for the steps of "accessing individual files in the system memory"; 
"identifying the type of file contained therein "; and ''making a determination as to whether 
the permissions for the identified file are secure " are supported under the subheading 
"Directory Check", found in the first column on page 65, and under "Directory Scanner", 
page 112. 

Support for the step of "providing a report describing the insecurity " is supported in 
the bullet point description of " AutoCorrect" on page 76, and in the bullet point description 
of "ReportIT" on page 89, and in the first paragraph on page 1 15 of the provisional 
application. 

Support for the steps of "providing corrections for the detected files which are 
insecure " and "initializing corrective action upon receiving direction" are supported in the 
paragraph on page 49; in the paragraph on page 54; in the bullet point description of 
"AutoCorrect" on page 76, and in the first paragraph on page 113. 

Claim 15 

Support for the steps of "performing a user check to see if a user owns his or her 
home directory"; "performing a check to see if the user's group owns the home directory"; 
"performing a check to see if user related files are valid"; and "performing a check to see if 
the user's directory exists" is found, for example, on page 106 under the section entitled 
"User Security Examinations", particularly in the lead paragraph and in the first, second and 
third bullet points. 

Claim 16 

The step of "providing a vulnerability database which includes a number of identified 
system vulnerabilities" is supported at least on page 107, under the subsection entitled 
"Vulnerability Database". 

The steps of "accessing the individual files in the system memory"; "determining 
whether the file f s owner matches a predetermined profile "; "determining whether the file's 
group matches a predetermined profile "; and "determining whether the permissions 
associated with the file match a predetermined profile "; are supported in the section cited 
immediately above, and further supported on pages 135-136, in the sections entitled "Profile 
Database" and "Vulnerability Database" 
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The step of "determining whether the files predate a patch " is supported at least on 
page 107, in the first bullet point under the subsection entitled "Vulnerability Test Methods" 
under the subsection entitled "Vulnerability Database". 

The step of "providing a report on any vulnerabilities which may exist in the system 
memory 31 is supported in the bullet point description of "AutoCorrect" on page 76, and in the 
bullet point description of "ReportIT" on page 89. 

Claim 17 

The steps of "checking for insecure configuration files" \ "checking running of 
excessive system services "; and "checking whether the computer system is running in the 
promiscuous mode " are supported at least on page 1 16, in the section under the heading 
entitled "Network Manager" 

Claim 18 

The following steps of claim 18 are supported on page 124, in steps 1-17 under 
"Password Checker" (see especially items 1, 2, 7-9 and 12). Additional support is found on 
page 57, paragraphs 1-6 and on page 105, Phases 1-9, of the provisional application. 

• "identifying all passwords for the users of the computer system "; 

• "reading the passwords and for each identifying a next similar salt entry"; 

• "identifying a next predetermined number of words from the dictionary"; 

• "performing a word filtering method with regards to the passwords to add to 
the word list"; 

• "determining whether the word is in the list"; and 

• "removing the user from the list. " 

Claim 19 

Support for the method of providing a security assessment for a computer system 
including the step of "displaying a result of the security analysis via a graphical user 
interface " is found in the screens exemplified throughout the provisional, for example, on 
pages 48, 49, 74, 93 and 95, and further in the description of "A Friendly GUI", page 51. 

Claim 20 

Support for the method of providing a security assessment for a computer system 
"wherein the computer system is connected to a data network" is supported at least on page 
60, third paragraph; on page 63, final paragraph, and in the diagram on page 128. 

Page 1 6 of 1 8 



Response to Office Action mailed 1 1/5/2003 in U.S. Serial No. 09/834,334, entitled 
METHOD AND APPARATUS FOR ASSESSING THE SECURITY OF A COMPUTER SYSTEM 



Atty. Docket No. 405836 



As detailed above, claims 1-20 are supported by provisional application number 
60/091,270, filed 15 June 1998. CyberCop, with an effective date of February 8, 1999, is 
therefore not prior art to the present application. Additionally, CyberCop fails to teach each 
and every element of claims 1-20. It is clear from the Examiner's comments that Security 
Audit also fails to teach each and every element of claims 1-20, as required under 35 U.S.C. 
§103, since, for example, Security Audit must now teach every element without benefit of 
CyberCop. Note the following quotation of from the MPEP setting forth the three basic 
criteria that must be met to establish a prima facie case of obviousness: 

To establish a prima facie case of obviousness, three basic criteria 
must be met. First, there must be some suggestion or motivation, 
either in the references themselves or in the knowledge generally 
available to one of ordinary skill in the art, to modify the references or 
to combine reference teachings. Second, there must be a reasonable 
expectation of success. Finally, the prior art reference (or references 
when combined) must teach or suggest all the claim limitations. 
MPEP, §2142, citing In re Vaeck, 947 F.2d 488, 20 USPQ2d 1438 
(Fed. Cir. 1991). 

Security Audit cannot teach each element of claims 1-20 and, therefore, fails under 
these requirements. Reconsideration and allowance of claims 1-20 is now requested. 

According to MPEP 715, an inventor affidavit under 37 C.F.R. §1.131 is 
inappropriate in this circumstance, since the effective filing date of the present application 
(claims 1-20) is prior to the earliest priority date (February 8, 1999) of CyberCop. 
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CONCLUSION 

In summary, Applicants have shown support for all of Claims 1-20 within the 
provisional application. As the provisional application was filed prior to the CyberCop 
effective date, CyberCop is not available as prior art to claims 1-20. Therefore, withdrawal 
of all of the Examiner's rejections under 35 USC §103 is requested. Applicants have 
amended Claim 18 to overcome the Examiner's rejection and objections, and have further 
amended claims 4, 11, 13, 14, 17 and 19 for editorial clarity. 

In view of the above Amendments and Remarks, Applicants have addressed all issues 
raised in the Office Action dated November 5, 2003, and respectfully solicit a Notice of 
Allowance for claims 1-20. Should any issues remain, the Examiner is encouraged to 
telephone the undersigned attorney. 

A Petition for one month's extension of time to reply is submitted herewith, extending 
the period for reply up to and including March 5, 2004. Authorization to charge the 
necessary fee of $55 for a small entity to Deposit Account 12-0600 is granted within the 
attached Petition for one month's extension of time. It is believed that no further fees are 
due; however, if any additional fee is required in connection with this Amendment and 
Response, the Commissioner is further authorized to charge such fee to Deposit Account 12- 
0600. 

Respectfully submitted, 



Date: (%\ H , By: 



Curtis A. Vock, Reg. No. 38,356 
LATHROP & GAGE L.C. 
4845 Pearl East Circle, Suite 300 
Boulder, CO 80301 
Telephone: (720) 931-301 1 
Facsimile: (720)931-3001 
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For Immediate Release 



DMW Introduces HostCHECK for UNIX Advanced Security Tool Set 

Powerful Solution Brings Security Expertise In-House, Enables E-Business 

Colorado Springs, CO - April 28, 1998 - DMW Worldwide LLC today unveiled 
HostCHECK™ for UNIX, an integrated suite of tools that delivers immediate enterprise 
security improvements and allows users to bring security expertise in-house. Featuring a 
JAVA-based graphical interface and one of the industry's largest vulnerability databases 
that contains almost 2,000 validated exploits, HostCHECK provides a simple, yet powerful 
way for companies to maintain a high level security posture on an ongoing basis. The 
product set is part of DMW's family of adaptive e-business solutions that helps companies 
leverage the power of advanced networks in order to conduct business and deliver service 
online in a secure environment 

"Even though information protection has become one of the greatest concerns for 
CIOs today, most companies still rely only on firewall devices and also lack the tools and 
expertise in-house to ensure that all systems are safe from intrusion and suspicious 
behavior/' said Dr, Bruce Hartley, executive vice president and chief technology officer for 
DMW. "HostCHECK is a key element of an enterprise security architecture that helps 
companies realize an immediate improvement in security, then easily maintain that level of 
security as the company changes." 

Elements of Improved Security 

HostCHECK features nine modules that each focus on a specific security aspect of a 
UNIX-based host machine. Working together, these tools determine the vulnerabilities and 
weaknesses of each system, giving users the ability to evaluate, assess, correct, manage and 
monitor security. 
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. Evaluate The Configuration Check module automatically detects system characteristic,, 

allowing HostCHECK to correct* configure itself on the installed platform. It identifies files 

considered critical to the security configuration of the computer or files that, if tampered with, 

can be used for penetration purposes. 
. Assess-Severalmodulesperformamoroughsecurityassessmentonthehostsystem. These 

another assessment module capable of cracking passwords locally or remotely with the goal of 
helping organizations improve the integrity of file access passwords. Directory Check, wroch^ 
searches files for insecure permissions, is extremely fast, checking the security of up to 30,000 files 

in 60 seconds. j, _ 

. Correct and Improve - The AutoCorrect feature is designed so that when HostCHECK detect a 
problem, it displays a screen prompt that identifies the vulnerability, suggests a correction and 
provides the rationale and impact of mat correction. This feature provide,, the host with an 
immediateimprovementmse^ 

0 include MarkIT, allowing users to mark security critical files; Review*, which aUows users to 

1 review and change audit trail settings; Removed a secure file wipe program; and the User 

I?, Manager. 

. Manage Configuration -The User Manager provides administrators with a standard interface 
that can be run across multiple UNIX platforms and allows them to manage account and group 
structures uniformly. This eliminates the creation of new security vulnerabilities when new 
accounts are created, thus greatly improving system administration and reducing security 
weaknesses. 

. Protect and Monitor - The Review* feature allows the administrator to review and modify 
audit trail settings, while Network Check searches for sniffers running on the host and for 
insecure entries in the network configuration. 

Intelligent Monitoring and Reporting 

HostCHECK's Schedule* utility allows users to run checks on a regular basis, specific to the 
needs of each business, thus monitoring and protecting the security posture on an ongoing basis. 

While most security tools require an in-depth knowledge of security to understand their 
results, HostCHECK generates reports in simple formats that make the nature of each security 
problem easy to understand. The user can select comprehensive or specific reports, which can be 
printed, stored or shared via email to a specific user account, such as a manager. All reports are 
archived so that comparisons can be made between new and previous reports, making an intrusion 
simple to detect. 
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Pricing and Availability 

HostCHECK will be available from June through August at the initial price of $199 CU.S.) 
for a single host. After that time, the list price will be $295 per host. Multi-host, site license and 
unlimited host pricing is also available. DMW will provide software maintenance packages, 
which include software updates, vulnerability database updates and technical support. 
HostCHECK for UNIX was developed in ANSI C to optimize speed and portability, requires 
32Mb of RAM and currently supports Solaris 2.3 or higher, SunOS 4.1X FreeBSD, HP-UX v9 
and vlO, Digital UNIX2JC, Irix 6.X, AIX 4.X and Linux 2.X. DMW plans to introduce a version 
for the NT platform later this year. 

About DMW 

DMW Worldwide LLC develops electronic business solutions that adapt quickly to 
changing technology and customer demands. The company's Timarou™ family of integrated 
solutions provides proactive customer care, convergent billing and network care. By combining 
5 these products with strategic business and network services, clients receive a seamless suite of 

Jj solutions to help them efficiently and securely conduct business over the network, as well as 

M- proactively manage user and customer needs. Timarou solutions are flexible, adapting to 
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business environments and redefining what is possible with e-business - exceptional customer 
relationships, real-time billing, end-to-end information services management and secure 
worldwide communications. The privately held company is headquartered in Colorado Springs, 
with additional offices in Boulder, New York, Silicon Valley, London and Tokyo. For more 



information, contact (800) 369-4768 or visit www.dmwworldwide.com on the web. 
^ D MW will feature HostCHECK demonstrations at the Networld+Interop conference, 

CO May 5-7 in the Las Vegas Convention Center, booth #5508 in the South Hall. Contact Susan 

MacCall to schedule press appointments. 



### 



DMW, HostCHECK and Timarou are trademarks of DMW Worldwide LLC. Other product names may be 
trademarks of their respective owners. 
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DM W WORLDWIDE 



4965 North 30 th Street • Colorado Springs, CO 80919 
Tel: 719-548-1101 • 800-369-4768 • Fax: 719-548-1902 
WWW: http.7/ www.dmwworldwide.com 

HostCHECK for UNIX: New Security for E-Commerce 

White Paper 



E-Business You can reach millions of potential customers through e-business. At the 

Creates Security same time, you create new entry points into your systems, potential gateways 

Risks Tor security breaches and risks. In 1997, DMW Worldwide conducted over a 

dozen controlled penetrations of major industries. In every case, we were 
successful — and in each case, the problem hinged on inadequate host 
security. 

Internet Firewalls protect perimeters. In the cases noted above, the firewall 
was inadequate protection. Clearly, better host-based security is needed to 
contain security problems if your firewall is breached, and to identify . 
intrusions if they do occur. 

The Enterprise Many organizations have been lulled into a false sense of confidence with 

Security Model: A their computer security configuration by using firewall products. While 

Layered Approach properly configured firewalls prevent people from breaking into the 

computer from the outside, perimeter security is only one component of the 
Enterprise Security Model, which is based on a layered approach to security. 
This layered approach combines perimeter security, host-based security, 
security education awareness, and an incident response capability, which are 
interconnected by an Enterprise Security Policy. If the security inside the 
company is weak, it still remains an easy target. 

In light of the aging of available security tools, and the internal weaknesses 
that are generated as a result, a more advanced tool is needed to address 
UNIX security. DMW Worldwide is filling the void with HostCHECK™. 

HostCHECK is a UNIX computer security program developed in ANSI C. 
It is arranged in a modular/integrated form and consists of nine computer 
security modules and several utilities, each testing a different aspect of the 
computer's security. These modules are tightly integrated to form a 
complete security package. 



What is 
HostCHECK? 
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HostCHECKIs an 
Integrated 
Security Package 



The program was designed to focus on internal computer security, that is, 
locating the security problems that can be exploited from a user already 
logged into the computer system. HostCHECK is able to keep intruders out 
of the computer system by identifying improper configuration and making 
the problem easy for the system administrator to repair. 

Today, many mission-critical business functions are run on UNIX servers. 
HostCHECK integrates features normally offered as stand-alone security 
products and incorporates them into one package with up-to-date security 
and vulnerability information. HostCHECK addresses many of the 
deficiencies found in other UNIX security tools, providing an easy-to-use 
interface and user-friendly output reports. This enables less-experienced 
UNIX administrators to use and benefit from the tool. 
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HostCHECK Screen with Security Tab Pull-down 
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HostCHECK 

Provides 

Immediate 

Security 

Improvement 



HostCHECK is set apart from other UNIX security tools by its AutoCorrect 
capability, which can immediately improve the security posture of a UNIX 
host. Through interactive dialogue boxes, HostCHECK. describes the 
vulnerabilities found on the system, suggests corrective measures, and 
provides the rationale for the corrections. The system administrator may 
then request that HostCHECK implement the corrective. measures to 
eliminate the identified vulnerability. 




HostCHECK AutoCorrect Screen 
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A Friendly GUI 



Usable Reports 



password scheme the system uses, file-system construction, etc. 
HostCHECK uses this information during the initial set-up of the software. 
The result is a security baseline customized to the current system 
configuration. 

HostCHECK's JAVA-based GUi makes it easy to use for all system 
administrators. Interactive dialogue boxes explain the vulnerabilities found, 
give a rationale for correction, and prompt the user to make the corrections 
immediately. Color-coding of screens help alert users when problems do 
arise. HostCHECK may be executed three different ways: through the GUI 
buttons and pull-down menus, through Text Mode Interface, or through the 
use of UNIX commands. 

Most security tools are hard for the novice administrator to use, and their 
output is both cryptic and difficult to understand. Many of these tools 
identify problems, but leave determining the solution to the system 
administrator. To further compound the problem, inexperienced 
administrators may tend to ignore suggested corrections due to time 
constraints or lack of experience. 

HostCHECK's oulput reports are easy to read, descriptive of the location of 
the problem, the dangers involved, and are useful in educating the system 
administrator on security practices. Other reporting systems are hard to 
understand, and do not explain the problem in detail. HostCHECK's . 
ReportIT utility generates reports in non-technical, plain English that explain 
the nature and severity of the problem found, what can be done to fix the 
problem, and where patches and additional information about the problem 
can be found on the Internet. Comprehensive or specific reports can be 
specified, and these reports can be printed, stored as text files, or mailed to a 
specified user account. All reports are archived and comparisons can be 
made between new and previous reports, aiding in intruder detections. 



CrackTT Password Report 

CepyricM (Q 1 3SB by DMW Woridwi<*«. LLC 
Pasrword Security Table 




IO PASSWORD 



HostCHECK Password Report Screen 

Nine Security HostCHECK consists of nine security modules along with supporting 

Modules utilities. Each security module focuses on a different aspect of computer 

security, and has a pathway of communication with each of the other 
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modules. The security modules are: 



♦ Directory Check 

♦ Integrity Check 

♦ User Manager 

♦ User Check 

♦ CrackIT 

♦ RemovelT 

♦ ReviewIT 

♦ Network Check 

♦ Configuration Check 

HostCHECK. was designed to be a comprehensive host security system, 
rather than providing a single solution to isolated security problems. Thus 
HoslCHECK contains more functions than other security programs currently 
on the market. 
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The graph below compares the number of security exams run by 
HosiCHECK to other comparable products. 
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Number of Security Exams 

Directory Check Directory Check is the true heart of HostCHECK, and is one of the most 

Locates Security unique and effective features of the package. The Directory Check searches 

Flaws and through all the files in a UNIX computer's file system to locate security 

Prompts flaws developed from accidents, improper configuration, pre-existing bugs. 

Autoconnection or even hacker intrusions. 

The Directory Check runs a series of tests to determine if the information in 
"critical" files has been tampered with. A "critical" file is any file that alters 
or changes the system's security (such as a set user id or set group id file, a 
device driver, or a configuration file flagged as critical by Configuration 
Check). Each critical, security file's checksum, SHA- 1 message digest, 
length, permissions, ownership, and group are compared against the 
Directory Check's previous run'. Other files are examined for secure file 
permissions to ensure new files of security concern are tracked. Likewise, 
device drivers are examined for correct association of file rights and 
ownership to the major and minor number of the device. 



' On initial installation, HosiCHECK compares against a database derived from the original manufacturer's 
distribution media. 
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HostCHECK Directory Check Screen 
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AutoCorrect 
Allows Immediate 
Correction of 
Security Problems 



One of the more useful features of the Directory Check is its ability to 
explain a found error in detail and describe how the problem impacts the 
overall security of the system. In most cases, it also prompts the system 
administrator lo implement the suggested corrective measure for the security 
problem. This AutoCorrect feature ensures that quick solutions for the 
system administrator are available as soon as the problem is identified. 
Another outstanding feature of the Directory Check is its speed. Written in 
ANSI C using efficient programming techniques, it usually takes only a ^ 
minute or two to scan file systems consisting of tens of thousands of files. 



m 
m 



* in . benchmark test, a files system containing fifty thousand files on a 80486-50DX computer took only 
84 seconds. 
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The graph below illustrates the speed of HostCHECK compared to other 
products. 




Security "Consultant Grade" Exam* 

* T»»Ud on Spire »t»Uon LX with 32 MB of RAM 



Integrity Check Many UNIX security vulnerabilities are included in the initial operating 

Uses Extensive system and were discovered after public us8ge. Even if an administrator was 

DMW Vulnerability to patch these security vulnerabilities, reinstalling the operating system or 

Database missing a critical security announcement may allow the system security to be 

compromised. The Integrity Check module identifies and keeps track of 

these vulnerabilities. 



The Integrity Check module searches for security problems that are 
associated with a specific platform and notifies the system administrator that 
a problem exists. Information is then made available to the system 
administrator as to the nature of the vulnerability and where the appropriate 
patch may be found. 

An extensive database of existing security vulnerabilities and patches is an 
integral part of HostCHECK and is used to run a comparison against the 
computer's integrity. This information comes from the DMW Vulnerability 
Database, which consists of information pooled from many sources, such as 
advisories, trade journals, hacker publications, Computer Emergency 
Response Team (CERT®) reports, and in-house vulnerability testing and 
analysis. Currently, the DMW Vulnerability Database is one of the largest 
on the market, containing close to 2000 vulnerabilities. 



The graph below shows the HostCHECK/s Vulnerability Database compared 
to those of other products. 
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User Manager 
Allows Interface to 
Run Across 
Multiple UNIX. 
Platforms 



User Check 
Monitors User 
Access 



CrackIT Ensures 

Password 

Security 



2000 




Number of Vulnerabilities Checked 

Good user management systems are difficult to find and typically are not 
portable. To address this need, the User Manager module was created to 
provide an easy-to-understand user management system that not only 
identifies security problems associated with user accounts, but also allows 
user accounts to be created in proper grounds, making user management 
easier and more secure. 

The User Manager Tool provides extensions to the basic concept of groups 
in UNIX, which allows several groups of users, each with different styles of 
home directories, access privileges, and shells. 

The User Check performs routine security checks to determine whether or 
not system users have allowed easy access into the machine from the outside 
(by way of their ".rhosf file), or if a security problem exists, such as users 
not owning the rights to their home directory or files within their home 
directory. 

Many limes the security ofa system is compromised by poor passwords. 
Easy-to-guess passwords such as "system " "password " or "secret" can 
allow a breach in security. Even if a hacker were to steal the system's 
password file and attempt to crack passwords, it is critical to have a 
password protection system capable of attaining very high speeds and 
providing a reasonably high certainty that the system's users have difficult- 
lo- guess passwords. 
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HostCHECK's CracklT module ensures the security of your system's 
passwords by examining and identifying all existing weak passwords 
these have been changed and rechecked for security, the probability ol 
security breach due to poor passwords is greatly reduced. 



CASE STUDY- During a recent penetration engagement, 800 standard UNIX DES V-V" .' 

Passwords passwords were audited. Two computers split the task: an UltraSparc 1 and 

Cracked by a Pentium 166. Using the DMW CracklT software package, the audit . 

HostCHECK performed over one and a half billion password cracking attempts in slightly 

ScruSnv over three days. The audit resulted in passwords for 35% of the accounts, 

y a nd the first password was obtained less than three minutes into the audit. In 
a separate audit performed on a Pentium 90 notebook over the course of a 
weekend, 264 UNIX accounts were examined, yielding 2 1 2 guessed 
passwords (80%). _ 



Maximum CPU 
Time Utilized 
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RemovelT 
Ensures File 
Security 



The CracklT module is optimized to utilize maximum CPU time available to 
achieve the highest possible speeds. The password checking algorithm ^ 
incorporates such lime saving techniques as "same salt" and "similar salt 
cryptographic shortcuts. 

Besides guessing information from dictionaries, the words may also be 
"filtered" through various change techniques to create derivative words that 
might not be found in a dictionary but are still easy to guess. For example, 
the letter "l" looks like the symbol "+". Therefore, if the filter were to 
receive the word "testing," it would generate and test the word "+es+ing." 
Currently, there are 8,192 combinations in the filter and others still planned. 

Also, the GECOS password field (the segment of the password line usually 
containing the user's name and office telephone number) is also used to 
generate password guesses. A total of 363 combinations are searched, and 
three common generations from a line of information such as "John Q.^ 
Public, 555-3090" would be "John3090'\ "PublJohn", and "Publ5553 " 

CracklT is also available separately or packaged with the RemovelT and 
ReviewlT tools. 

Sensitive information often must be removed from the system. The 
administrator must ensure that the data are destroyed; merely deleting the 
file does not ensure the data are inaccessible by other means. 
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The RemovelT utility is a secure means for deleting sensitive information 
and conforms to DoD specifications. The file containing the sensitive 
information is removed by overwriting the file multiple times, each time 
verifying that the information has been properly deleted. With this method, 
users of the system cannot recover the file. 

RemovelT is also available separately, or packaged with the CrackIT and 
ReviewIT tools. 



m 
o 
p 



6 

B 

□ 

I* 

in 



ReviewIT Provides 
More Intrusion 
Detection 
Capability 



Security Check 
Tracks and 
Corrects File 
Permissions 




HostCHECK RemovelT Screen 

The ReviewIT tool allows the system administrator to review audit trail 
settings, and to interactively change audit trail settings. ReviewIT allows the 
administrator to evaluate current audit trails against recommended audits, 
configure audit trails on the fly, and further define audit requirements, audit 
specific users, and create usable, intelligible audit reports. ReviewIT is also 
available separately, or packaged with the CrackIT and RemovelT tools. 

A typical UNIX operating system is comprised of over 10,000 files. It is 
virtually impossible for a system administrator to know all the suggested 
permissions for each file. The Security Check compares the permissions and 
ownership of system files against a database of DMW*s recommended 
permissions for those files. 

If an intruder were able to modify just one of the files, it is possible for he or 
she to create an easy access path into the operating system. Also, normal 
daily activity could inadvertently change the permissions of one of these 
files in such a way as to allow a casual observer to gain additional access. 
Security Check is a way of checking and preventing this. 
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Network Check 

Monitors 

Intrusions 



SchedulelT Aids 
in Intrusion 
Detection and 
Monitoring 



The Network Check is designed to examine and display aspects of the 
computer's network security configuration. If the Network Check 
determines the computer is running in "promiscuous" mode (a state referring 
lo the Ethernet adapter), it means a "sniffer" program is running on the 
computer system. In this situation, it is likely that an active intrusion is 
taking place on the network. 

During Network Check, HostCHECK. automatically executes the Port 
Scanner to determine TCP services are running on the host. A TCP service 
is any sessions-oriented communication where the computer system will 
allow outside computers to initiate communication with it (i.e., FTP, Telnet, 
and Remote Login Services). The Internet server configuration file is 
summarized and displayed to show all network services being provided. 

Business environments as well as operating systems are dynamic. With 
HostCHECK, companies have a powerful way to not only assess and correct 
security problems, but to monitor and protect their security posture over 
time, HoslCHECK's SchedulelT and ReportlT utilities allow users to run 
checks on a regular basis and to compare new reports to archived reports. 
Using ReviewlT and Network Check to search for "sniffers" running on the 
host, check for insecure entries in the network configuration, and to review 
and modify audit trail settings provides businesses with the strong intrusion 
detection and control they need. 
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HostCHECK SchedulelT Screen 
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HostCHECK Fills 
the Need for 
Better Security 



Easy and 
Frequent Updates 



HostCHECK: The 
Power to Protect 



CERT® has reported thousands of computer incidents annua ly effect ng 
over 46 000 computers.' In fact. 520 U.S. companies reported a total loss 
7s , 36 million from computer crime and security 
from the orevious year." Because of the vast numbers of UNIX plattorms 
[nTeSSS -he flow of information on the internet, the need for 
quality computer security products has become clear. 

HostCHECK was designed to Till this need, lfs modular design makes it 
cap ble of including any security programs needed for .he ever-expanding 
Si of UNIX security issues. HostCHECK is focused on portab, . y, 
d^ity and user-friendliness, with modules that are more powerful and 
Sthan existing security tools. The key "J^gg^ * 
HostCHECK and other UNIX security tools is HostCHECK. s ability to 
reoort Potential security vulnerabilities, and its AutoCorrect mechanism. 
enabHng he ys em administrator to take the appropriate corrective actions. 
Thus . HostCHECK produces immediate improvements in the overall 
security posture. 

HostCHECK may also be easily updated. Because HostCHECK relies on its 
vleS Database for the majority of its secur* ;^s up^tes - 
easily installed since they do not reqmre rewriting the code HostCH ECK 
Vulnerability Database is updated frequently, allowing HostCHECK to 
« ma r a cubing edge product and to continue to provide customers with the 
powerful internal security they need to conduct e-business. 

If you use UNIX, you need HostCHECK. HostCHECK complements 
existinn security mechanisms, such as firewalls, to create a secure 
enSem'hat enables e-business. Why take the risk? Why be a sta.ishc? 
Gel HostCHECK, and gel the power to protect. 
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•Fro* -he Computer Emergency Response Team .997 Annua. Repor^ , the CERT® Coordination Center 
^Cp^h^ 
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HostCHEC powers your comply 
for e-busiriess 



The Power to Protect 

HostCHECK's security modules are complemented by powerful features: Intelligent 
reporting a friendly GUI, and the ability to make immediate security improvements. 
Developed in ANSI C for both speed and portability, HostCHECK's modular architecture 
gives it optimal performance— HostCHECK completes its "security consultant grade" 
examination in less than two minutes compared to ten for its nearest competitor. 

User-Friendly Power 

HostCHECK's JAVA-based GUI makes it easy to use even for novice administrators. 
Interactive dialogue boxes explain the vulnerabilities found, give a rationale for the 
correction, and prompt the user to make the corrections immediately. Color-coding of 
screens helps alert users when problems do arise. HostCHECK may be executed in 
three different ways: through the GUI buttons and pulldown menus; through Text 
Mode Interface; or through the use of UNIX commands. 



Designate additional security-critical files with MarklT. Make 
immediate security improvements with AutoCorrect. Run reg- 
ular and automated checks with SchedulelT. 
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Intelligent Reporting 

Most security tools have output that is highly cryptic and hard to understand. 
HostCHECK's ReportIT utility generates reports in non-technical, plain English 
and explains the nature and severity of the problem found, what can be done 
to fix it, and where patches and additional information about the problem are 
located! Comprehensive or specific reports can be specified, and these reports 
can be printed, stored as text files, or mailed to a specific user account. All 
reports are archived and comparisons can be made between new and previous 
reports, adding critical intrusion detection capability to the security tool set. 

Immediate Security Improvements 

HostCHECK's extensive database of close to 2000 vulnerabilities and its AutoCorrect 
feature give you the power to secure your system immediately. The Vulnerability 
Database is compiled from both public and semi-public sources and each vulnerability 
is cross-referenced to advisories, patches, exploits, and functions. AutoCorrect is 
designed so that when HostCHECK detects a problem, it identifies the problem on 
screen for the user, recommends a solution to improve security, and then provides the 
rationale for that correction. This gives the System Administrator the ability to make 
immediate improvements to the company's security posture. 
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Directory Check: Searches every 
file on the system for security 
problems. Detects unsecure file 
permissions as well as file tamper- 
ing, newly created "setuicT files, 
Trojan horse installations, and 
viruses. Checks for unusual device 
* permissions, ownership, and 
groups. Fingerprints all 
security-critical files using check- 
sums, file length, and SHA-1 
secure hash. Directory Check is 
very fast, checking the security of 
up to 30,000 files in 60 seconds. 
L Directory Check- includes the 
p! Permissions Check utility, which 
checks defaults on 1400 possible 
^ mis-configured files. Permissions 
j*y Check allows automatic changes 

and has a rollback capability, 
q allowing the administrator to try 
many security approaches safely, 
g AutoCorrect capability prompts 
jfl users to correct identified prob- 
y, lems and provides an explanation 
yj of each vulnerability discovered. 

*Q Integrity Check: Checks for 
£8 pre-existing security problems by 
cross-referencing against the 
extensive DM W Vulnerability 
Database. As part of HostCHECK's 
AutoCorrect capability, the user is 
prompted to immediately correct 
any identified problems. For those 
vulnerabilities that HostCHECK 
can not immediately correct, 
HostCHECK provides the WW 
page references where more infor- 
mation and the vendor patch are 
located. To date, CERT has issued 
827 vulnerability reports. DMW's 
Vulnerability Database contains 
close to 2,000 vulnerabilities. 



Configuration Check: Detects 
system characteristics, enabling 
HostCHECK to configure itself 
correctly; HostCHECK's ability to 
decect subtle details in the con- 
figuration of the computer makes 
it very portable across platforms. 
Identifies files considered critical 
to the security configuration of 
the computer or files that, if they 
are tampered with, can be used 
for easy penetration into the 
system. Automatically identifies 
the properties of the system for 
use in the initial software set-up. 

Network Check: Searches for 
sniffers running on the host and 
for unsecure entries in the net- 
work configuration. Displays all 
services running on the host, 
including those not registered 
with the Internet daemon. 

User Manager: Many security 
incidents are due to poor system 
administration, HostCHECK's 
User Manager allows system 
administrators to create interfaces 
that can be run across multiple 
UNDC platforms and to manage 
account and group structures, 
eliminating the creation of new 
security vulnerabilities when new 
accounts are created. 

CrackIT: Possibly the most effec- 
tive password-cracking tool ever 
developed. CrackIT is extremely 
flexible; capable of cracking 
passwords locally or remotely, it 
is able to communicate with a 
wide range of different services. 
Options include selecting from 
multiple dictionaries containing 



millions of words in eighteen 
languages. CrackIT has advanced 
filtering and GECOS ability. 

ReviewIT: Allows administrators 
to both review and interactively 
modify audit trail settings. Allows 
evaluation of current audit trails 
against recommended audits, 
configuration of audit trails on 
the fly, further definition of audit 
requirements, auditing of specific 
users, and creation of usable, 
intelligible audit reports. 

User Check: Checks insecurities 
associated with users' accounts 
and home directories; detects 
open home directories, Trojan 
horses, and other security risks. 

RemovelT: Obliterates a file from 
online media by overwriting its 
location repetitively. Follows the 
Department of Defense "Blue 
Book" removal guidelines for 
classified data remnants as set by 
the National Computer Security 
Center. Overwrites files using 
specific bit patterns and simple 
text strings. 
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Customized Protection 

You can extend the flexibility of 
HostCHECK's protection with the 
MarkIT utility, allowing the 
administrator* to select securiry- 
critical files, web pages, etc., for 
a security scan by HostCHECK. 
The unmark utility can remove 
protected files from the checking 
list, but contains a fail safe that 
prevents the exclusion of any 
security-critical components. 

Constant Monitoring and 
Detection 

Your business environment is 
dynamic, as is your operating 
system. HostCHECK provides a 
powerful mechanism to assess 
and correct security problems, 
and to monitor and protect your 
security posture over time. 
HostCHECK's SchedulelT and 
ReportIT utilities allow you to run 
checks on a regular basis and to 
compare new reports to archived 
reports. Network Check searches 
for sniffers running on the host 
and checks for insecure entries in 
the network configuration. 
ReviewIT reviews and modifies 
audit trail settings to provide your 
business with the intrusion detec- 
tion and control you need in 
today's changing environment. 
HostCHECK for UNIX is an 
integrated collection of security 
programs combined with DMW's 
state-of-the-art, extensive 
Vulnerability Database, a friendly 
and comprehensive reporting 
mechanism, and an intuitive and 



easy-to-use graphical user inter- . 
face. HostCHECK goes far 
beyond just reporting security 
problems — HostCHECK's 
AutoCorrect mechanism allows 
immediate security improvements 
to take place within the tool, 
achieving an improved UNIX 
security posture the moment a 
security problem is identified. 
HostCHECK for UNIX 
was developed in ANSI C 
to optimize speed and 
portability, requires 32 
MB of RAM, and now 
supports Solaris 2.3 
or higher, SunOS 4.1.X, 
FreeBSD, HP-UX v9 and 
vlO, Digital UNIX 2.X, 
Irix 6.X, ATX 4.X, and 
Linux 2.X. 

DMW Worldwide 

DMW Worldwide develops 
electronic business solutions that 
adapt quickly to changing tech- 
nology and customer demands. 
Timarou™, the company's family 
of integrated solutions, provides 
proactive customer care, adaptive 
network care, and convergent 
billing. By. combining these prod- 
ucts with strategic business and 
network services, clients receive 
a seamless suite of solutions to 
help them efficiently and securely 
conduct business over the net- 
work, and to manage customer 
needs proactively. Timarou is 
flexible to adapt to dynamic 
business environments and 
redefine what is possible with 



e-business — exceptional customer 
relationships, real-time billing, 
end-to-end information services 
management, and secure world- 
wide communications. 




A secure (nfrastrature means 
business. Host check powers 
your company for e-business. 
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Phase 1 0; Brule force, all possible guesses shall be attempted (within the scope limitations 

of the encryption.) 

Unix Password Checking Limitations 

Not all methods of password examination are needed for the HostCHECK software package, so the 
following methods shall be needed within the UniCrack software package: 

- DBS (Digital Encryption Standard) based password cracking 
Unix Password Storing Awareness 

Password files are stored differently on different UNIX flavors and conflation 

The following methods shall be implemented in order to handle the majority of the UNIX platforms. 

Standard /elc/passwd file standard 
/etc/mast er.passwd file standard 

- /etc/shadow file standard 

User Management Requirements 

User Security Examinations 

Security tests shall be performed in order to determine if a user's security is poor. The tests performed by 
the user security system shall be: 

■ User owns his/her home directory 

User's group is associated with his/her home directory 
User's home directory no longer exists 
User doesn't have a possibly insecure $(HOME)/.rhosts 
User doesn't have a possibly insecure $(HOME)/.netrc 
• User has a unique user ID number 
User owns his/her mailbox 

User's mailbox allows only user to read his/her mail. 

System administrator can easily locate files on system associated with single user. 
User Management Functions 

Management functions will be provided in order to allow management of users to be easier. These 
functions shall be: 

■ Users can be easily created . 

» Users can be created in a simple "template" style. 

■ Users can be easily deleted 

File Destruction 

An ability for flies to be removed from the system following the Department of Defense data remnant 
removal procedures shall be implemented. 
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Network Examinations 

In order to allow examinations of the host's network configuration for security concerns, the following 
network security features shall be performed: 

- TCP wrapping shall be used lo provide a viable audit trail for incoming network connections. 
. Prorrus^ shall be checked for in order to determine if a sntffer is running on the 

■ Examination of a in the computer's hosl.equiv to prove it is not present. 

Vulnerability Testing 

Vulnerability testing involves looking for pre-existing security weaknesses that may be inherent with the 
«£iem or the way the operating system or application software is configured by default. 

Vulnerability Test Methods 

Tt>e following tests shall be used to "narrow down" the search to determine if a vulnerability could exist on 
the computer: 

eh 
o 
a 

ii 
ru 

Sj Vulnerability Ur^nhnse 

° The database used for the Vulnerability testing shall be from the DMW Vulnerability Database 

J« (approximately 1,300 possible security vulnerabilities) 

en 

^' Intrusion Detection/Backdoor Examination 

in 

*° In order to deicmiine if file tampering has taken place, the following intrusion detection capabilities shall 

W be performed in order to determine if files have been created which add to suspicion .that the user is 

attempting to hiciing files or otherwise abusing system resources: 

Suspicious usage of".. " or directories 
Suspicious usage of .plan or .fingerrc 
Suspicious usage of /usr/spool/uucppubtic 
Suspicious creation of a new setuid file 
Suspicious creation of a new setgid file 



The file is older than the patch. 

The file has permissions that may be associated with an insecure file. 
The file "passes" a vulnerability check by observing the program s behavior. 
The file is owned by a specific user associated with the vulnerability. 
The file is owned by a specific group associated with the vulnerability. 



Common. Misconfiguration 

In order lo prevent whether a security problem may exist as a result of improper configuration, 
following tesls shall be performed: 

• Invalid use of # lo comment out password entries 
■ Exporting file-systems to everyone 

• Insecu re PATH setting for root access 
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System Architecture 



System Diagram 



Highest Level Component Interaction 

HostCheck consisls of eight security modules and five utility programs which interact in order to identify 
security problems, report the problems, and lake corrective action if necessary. This software package 
could be thought of as a collection of different yet important tools. 

The Eight Security programs are the Directory Scanner, Integrity Checker, Password Cracker 
Configuration Detection System, System Profiler, User Manager, Network Manager, and Wipe. Each of 
these utilities provides a different aspect of security to the package. 



File 



Security 



FWe O dehor* 
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System Software Components 

Configuration Detection System 

^eTcS^UfiedTeraiferred to the File Security System to aid in secunng the system properly. Tins 
program needs 10 be run only once per installation. 

Because the configuration of each computer system is different, and the system administrator doesn't want 
I wa e corJSle lime explaining to the security software program all of the differences between me 
£™m^m£s security and that of a default machine, the Configuration program was also deigned to 
accommodate other security issues besides critical files. 

The confiscation security component is merely an interpreter that calls a set of script programs. Each of 
Se scripS s« on a single Jea of configuration concern: executables. internet connectiv.ty password 
mLagement X 'windows management, and library management to name a few poss.ble areas of concern. 

There is a second purpose that this program performs: it generates the necessary system critical 
informatfon ^eededX compiling .he rest of the program, ^information ,s stored in the form of a 
header file which is used only during the course of the program s compilauoa 

The configuration program generates the following files after execution: 

Elc/CHECKSUM The checksums of all the system critical files. 

Etc/environment The delected configuration "environment" 

Elc/custom.h Special header file created to assist in compilation of software. 

The configuralion program is completely stand alone and does not need to generate a visual report. Most of 
the secuXpro^ms built into HostCHECK will not function until the configurauon uUhly is executed for 

(he first time. 
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Directory Scanner 

problems lhal are searched for arc: 

. Globally read/writable directories 
. Globally writable setuid/setgid files 
. SUID fil es that have changed ownership 

<;nir) files that have changed group # 
. ISlD/SGlD/Critical files that have changed perrrussion 
. Newly created SUID/SGID files 
. Protected files lhal have changed ownership 
. Protected files that have changed group 

- SU D/SGID/Protecled files that have been deleted 

. luiD/SGlD/Prolecled files that have been impend 

- incorrect device driver permissions 

- Tampered device driver permissions 

• Incorrect Device Ownership 

• Incorrect Device Group 
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If any security problems are identified, die system administrator is prompted for a quick fix if the program 
is capable of providing one. Alt of the information associated wilb security problems and that were . 
corrected are forwarded to the reporting system. 

Security Profiler 

The Security Profiler security module examines individual file permissions for.non-standard configuration. 
Files contained in a pre-made database" are checked against files on the system. If the files on the computer 
differ from the flies in the database, a suggestion is made to change the file's rights to the suggested rights. 

The permissions are determined as follows: 

1 . Files selected are typically used UNIX files resisting in public binary executable directories 
(i.e. /bin, ^sr/bin, /sbin, /usr/sbin, etc.) or common directories where insecurities may exist. 

2. File permissions are revoked for regular users so that they are allowed to execute the file, but 
not read the contents or change the file, 

3. Directories that have common insecurities (/var/spool/crontab, /usr/spool/mail, etc.) are set 
with proper secure permissions. 

4. Other files that are commonly misconfigured are added as well (/elc/shadow, 
/ele/masler.passwd, /etc/profile, /, etc.) 

5. Any other changes follow the general rule "Less permission is better" without shutting 
services off for the regular user. 



Password Cracker 

The Password Cracker security module examines the DES encrypted passwords associated with each user 
• for insecure password choices. The administrator can use this tool to test the strength of the system's front- 
end security. It is a well-known fact that many systems become compromised because users pick insecure 
passwords. 

There are several functions of the Password Cracking suite that are both speed and functionality related. 
They are: 

" Use of the high-speed "fcrypt" program by Eric Young, entered into the public domain. 
" The use of "same salting", so that there will only be a single "salt" attempt per entire 
dictionary. This optimizes the speed of the security test. 

The integration of "Similar Sails", a technique that puts a ceiling on the amount of time 
necessary to examine the passwords of large numbers of users. If a computer has over a 
thousand accounts, then performance may improve 25-45%. 
■ Filtering of words to generate "pseudo"-words, such as replacing "t" with "+", making words 
like "tomato" into "+oma+o". There are 8192 filter combinations in the filtering mechanism. 

• Create "GECOs" password guessing, to determine the technique used by the system 
administrator(s) of the computer to give out "never before used" accounts. 

* Generation of "large", non-repeatitive dictionaries so that multiple dictionaries can be used 
for testing that does not contain duplicate words. 
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tflr Integrity Checker 

n Despite good management, many computer security problems exist on computers by default. A collection 

A of these vulnerabilities is stored in the HostCHECK's daiabase and checks are made id order to find the 

U holes on the local system. If a vulnerability is detected, the system administrator is notified of the problem 

. as well as where he/she can locate more information about the problem and patches. 

S| Tbe database of security holes is mostly comprised of CERT, ASSIST, ALERT, Bugtraq. and other 

C3 commonly referenced security bulletins and discussion groups. The information gathered from those 

■ documents is used to generate the check needed to determine if there is a security problem. Key checks on 

£;i a program 10 determine if a computer hole is exists are: 

Lj, - The type of computer/operating system being used 

i„ ■ A specific string in file(s) where the security hole might exist 

j,J - The access privileges of the file 

J[:[ ■ The owner of the file 

• The group of the file 
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administrator may locate additional information on the problem. 



User Manager 

TWLkcr Manager is a dual-purpose system administration tool and computer security tool that < oversees 
relating to individual users. 

THere me different types of functions it performs, depending on the system, configuration. The most 

commonly used features are: 

■ Creation of new user accounts 

■ . Creation of new user groups 

■ Deleting and isolating files owned by a specific user 

• Locating logs pertaining to an individual user 

* Searching home directories for improper ownership 

■ Searching for non-existent home directories. 

- Searching borne directories for improper group 

■ Searching home directories for improper in .rhosls file. 

■ Searching for insecure ".nelrc" file 

T^e User Manager is compatible with the traditional password/account generation meth^ wwdl as 
Shadow PalswoM security package, T*e User Manager may or may not be capable of d.splaymg 
information about recent user log-ins, depending on the operalmg system. 
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Network Manager 

When computers are connected to a network, new vulnerabilities are opened up which an intruder can lake 
advantage of. Jn order to keep the system secure, many of the networking security tasks are performed 
locally. 

Insecure configuration files 
Running of excessive system services 
Intrusion detection on TCP ports 
Checks for Promiscuous Mode 

Wipe 

Sometimes "sensitive" information appears oo a computer when it shouldn't. Guarantees need to be made 
for deleted file contents to vanish from the computer permanently. To accomplish this, HostCHECK lias a 
program that conforms lo the Department of Defense guidelines for the destruction of the file's contents 
from the hard drive. This is accomplished by overwriting the file with bit patterns and text multiple times 
and verifying the inlbnnation was changed. 

The procedure used lo securely remove a file is as follows: 

Step Description 

One the file is overwritten by a bit pattern such as 01 01 . 
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Two The file-system is synchronized in order to force data to be written to the drive. 
Three the file is read again in order to verify that the file has been overwritten with the 0101 pattern. 
Four Steps one, two, and three are repeated with different bit patterns for a.total of three different 
patterns, 

Four The link to the file is removed. 

This follows the directive set down by the Department of Defense standards for removal of sensitive 
information, as defined by the DATA REMNANCE GUIDE (NCSC-TG-025). Here is the secuOQ 
describing the technique for removal which the Wipe utility was uses: 

5.1.1 OVERWRITING 

Overwriting is a process whereby unclassified data arc written to storage 
locations thai previously held sensitive data. To satisfy the DoD clearing 
requirement, it is sufficient to write any character to all data locations in 
question. To purge the AIS storage media, the DoD requires overwriting with a 
pattern, then its complement, and finally with another pattern; e.g, overwrite 
fircl with Oil 0 1 01 , followed by 11 00 1 010, and then 1 00 1 01 1 1 . The number 
oHimcs an overwrite must be accomplished depends on the storage media, 
sometimes on its sensitivity, and sometimes on differing DoD component 
requirements. In any case, a purge is not complete until a final overwrite is 
made using unclassified data. 



Subsystem Diagrams 



Setup Software Subsystem 

HostCHECK's installation program is used to initially install and configure the package as a whole. This 
tool assists in walking through the selling up of the security sui le so that the maximum protection will be 
given to Ihe computer system while requiring a minimum amount of knowledge about how HostCHECK 
works. 

This package performs a series of steps needed to baseline the host. Although all of these actions enn be 
performed from ihe command line, these steps are automated by this program for convenience sake. The 
steps that are performed by the setup program are: 

1 . The Configuration program is run first to identify the current configuration of the system, 
identifying the important aspects of the system's security that the Directory Scanner 
won't be able to identify by itself. It also delecis standard features of the computer thai 
need to be used for special consideration as to the funcliooing of the security modules. 

2. Install asks for parameters to special options, such as how to print to the printer t who to 
send electronic mail reports to, and report characteristics such as width, margins, and 
height. These are saved in the etc/configuration file. 

3. The Directory Scanner is run, merging the information it detects with the information 
provided by the Configuration tool. When run by the setup software, no security 

it) formation is displayed when the Directory Scanner runs. This is to avoid confusing the 
installer. 

4. The profiler is then called upon to establish a baseline for the security of approximately 

1 000 files on the host. This is saved into a database and is used to make certain that the . 
security of these files don't change. 
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Mailer Software Subsystem 

The Mailer Program handles communication between the systems and subsystems, usually directing 
information to the reporting system but can also be used to send reports to the printer, e-mail, or to the 
screen. 

Composite Report Generator 

The composite report generator is a handler that allows the execution of multiple tests in a single running. 
ffiS tlsts ™ individually, these tests are not supposed to have human interaction. These tests all 
have similar traits: 

Autocorreclion is turned off 
» Execution of tests occurs after the previous test finishes. 
- Tcsls are run using the "standard" configuration by default. 

Mark/UnmarK Subsystem 

The Mark/Unnwk utility assists in determining if a file is critical If a file is critical, but the Configuration, 
and/or Directory Scanner program could not determine the critical nature of the file (e.g the system 
Smini^rator installed application software online that needs to » e P rotec ^ bv 
required to secure the file. Marking a file with the Mark utility will cause that file to become protected by 
the Directory Scanning utility. 

Unmarking a flic will cause a file to be removed from the list of critical files maintained by the Directory 
Scanner However, if the file is a critical file by default, then the unmarking utility will cause the file to be 
removed where it will be rc-added to the security list next time the Directory Scanner is run. 
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Password Checker 
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1- S^AU»— ^S*--""^" 

3" Uscr(s) are checked for non-existanl passwords 

a u«f are checked for passwords same as their user name 

9 ?X«^..I^U-«'«tothow^ioibnn.^wordl«l 

lb Ttoe pointer is moved to the first word in die new wordhsl 

lfi. If not al end of user list, go lo step 2. 

1 7. Save report 
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If the software is interrupted by a "hangup" signal, the following takes place: 

Current userlist is saved in the file /spool/passchk/saved 
Report is saved 



1. 
2. 



the last given point. 

Secure File Wipe 

" ■ « ■ * <°°> *• "*»™ in, ° wl, ' ,,8 ™' • 

the V/ipe utility will do! erase that file. 
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Tlie procedure used lo securely remove a file is as follows: 

1 The file is overwritten by a bit pattern such as 0101 . 

2 Se fi e-sysKm is syntonized in order lo force data to be written to 

I Tie file fs read againin order to verify that the f.lebas been overwntten w.th the 0101 

4. StepTl', 2, and 3 are repeated with different bit patterns for a total of three different 

5. Se is then overwritten with the text "The quick brown fox jumps over the lazy dog- 
in order to simulate "non-sensitive"' information. 

6. The link to the file is then removed. 
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HostCHECK Menu System 

The HoslCHECK Menu system exists in two forms, the Graphical User Interface version, which allows the 
program to use a graphical, event -driven interface; and the Text version, which allows people using the 
computer via a dial-up adapter or from a dumb terminal to be able to control the software package. 
Running the Menu System with a -X in the command line will force the GUI to be used, otherwise the 
software will default to text mode. 

GUI Menu System 



DMW Worldwide Proprietary Information 



Host CHECK Functional Desc /n 



Page 30 



itntr 



JAVA mV VnW 



CpnpO< 



Security 



Text Menu System 

The Text Menu has limitations on what it can and cannot do, as a result of its inability to display graphical 
text. It cannot display information in color, nor can it display a fancy HTML report. The reports that are 
generated are ASCII based, but contain the same information the HTML reports do. 

The structure of the menu tree is: 



COMPOSITE SECURITY CHECKER 

Full Security Audit with Automatic Correction 
Full Security Audit with Manual Correction 
Full Security Audit without Corrections 
Quit/Exit Full Audit Menu 
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built in order (o handle all keyboard based I/O so that a degree of control can be maintained over what the 
user of the application types. 

readlineO is a function used to read a siring of text from the command line. It can display the 
text being entered in highlighted form, it can limit the amount of information that goes into 
the string by performing bounds checking, and it can even set restrictions on quantity of 
numeric values entered in the string. 

fjerkeyO allows a single keystroke to be captured, without displaying the data to the screen, 
and reliquishes control back to the program logic immediately* after the keystroke is pressed. 
■ YesNoO prompts the user to answer "Y" or "y" for Yes, "N" or "n" for No. Returns 1 if they 
answered yes, 0 if they answered no. 

coinmon_prompf0 is a system of prompting used to communicate with the GUI, if there is 
one currently running, or with the text mode interface. This prompting system handles all of 
the standard prompting for all of the Host CHECK utilities. 

General Common Functions 

The general functions are just translations for very common functions that are needed for common usage, 
which may lake place throughout the code's logic, and very well may be just overlooked by the library 
functions as things which needed to exist in general programming usage. There are two functions currently 
in this genre. 

Q ■ shndowdafeO is a buggy, "yet serves its purpose" system for determining dates from shadow 

password file entries. 
■ iroaO is nn "integer to ASCII siring" conversion system. 

Rhost I r ile Identification 

ru 

S s This function is used primarily for identifying a '*+" in the .rhost file possessed by a user. However, it also 

C3 can De used °y olher subsystems for detecting a "+" in files such as "hosls.equiv", etc. The 

m checK_rhosUileO function receives a filename, and returns positive if the file contains a hazardous 

f*i symbol. 

5^ Synchronization Subsystem 



-J[ 0nce a program is finished, in order to facilitate communication between the different software packages 

*iJ which may be currently running, a call is made to the singular syncronizeO function. At the moment this 

CO program merely runs the Jbin/mailer program and allows it to process any new information that has been 

generated. 

Data Models 



Data Files 
Database tables 
Data structures 
Data Dictionaries 



Data Files 



Profile Database 

The file baselining is performed in the profile database file, and is stored in the form of a comma and 
quotes delimited ASCII database. All of these fields are of type VARCHAR, and can be up to XX 
kilobytes in si?.e. This file is automatically generated and updated by the File Security Subsystem 
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Directory of File 

Filename 

Permissions 

Owner 

Group 

Date 

File Size 

Checksum 

SMA-1 Secure Hash 



Vulnerability Database 



and can be up in XX kilobytes in size. 



. Bug ID # 

« Operating System 

- rs - Directory 

• Filename 

* Seluid? 

□ i. Setgici? 

k j3 ■ Owner 

== ; t « Group 

fij ■ Permissions 

H 



Date of Paich 
URL of Patch 



jjU Report Darabf.se 

K All of the reports generated by HostCHECK come from a.canned report database. This database, 

SSr y of paragraphs, has two fields. Hie file is stored in the form of a comma and quotes 
In SldSdi^ All of these fields are of type VARCHAR, and can be up lo XX kilobytes ,n 



Name of Text Segment 

Text of segment, in paragraph form. 



Recovery Database 



Before the actual file baselining is performed, a snapshot of the security of many of thesystem scntical 
files is performed in order to allow some files lo have their secunty recovered id case of error. The 
; c^v ry file is stored in the form of a comma and quotes dellnu^ ? * 0 „^ ft SZo 

fee standard Profiling Database. All of these fields are of type VARCH AR, ^ can be up to XX k.lobyles 
in size. This file is automatically generated and updated by the File Secunty Subsystem. 



Directory of File 

Filename 

Permissions 

Owner 

Group 

Dale (unused) 
File Size (unused) 
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15 

Sy stem Architecture „ . — — 

Mark/Unmark Subsystem 

umlty wiU couse that file to become protected by the Directory Scanning utohty. 

. Scanner is run. 



cn 

O 

■cr 

m 
p 

e 

□ 

Ifi 
<0 

m 
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Alphabetized Function List 



A-1 



APPENDIX A - ALPHABETIZED FUNCTION LIST 









accpol 


accounth 


Tests DoD Accounting Policy Criteria 


add_to_header 


formate 


Adds text to header segment 


add Jo_seg merit 


formaLc 


Adds text to a segment 


add_user 


adduser.h 


Creates a New User from User Entry 


append_facts 


facts, h 


Merges FACTS to end of SIF file 


archive_report 


mailer.c 


Copies generated report Into system archive 


ascii^center 


visual. h 


Centers string regardless of display type 


ascii„text_wrap 


visual.n 


Wraps text regardless of the display type 


asspol 


assure.h 


Tests DoD Assurance Policy Criteria 


bold 


visual, h 


Displays text entered as bold face 


bracketcees 


filter.c 


Changes letter C to the symbol [ 


center_text 


visual, h 


Centers string and displays on current line 


certification 


hostguard.c 


DoD Certification Menu 


changeprompt 


dirscan.c 


Displays prompt asking if file's permissions should be changed 


check_device_pe missions 


devices, h 


Compares device permissions 


check_device __pe emissions 


de vices. c 


True If device permissions are normal 


check_rhost_fiie 


rhost.h 


Checks for + in rhost file 


checksum_everylhing 


dirscan.c 


Launches checksumming process 


clean_jj roups 


groups. h 


Property unaflocates GROUPS structure 


clea n_pa sswd_lis t 


passwd.h 


Cleans password structure in correct manner 


clear_screen 


visual.n 


Clears the text screen 


ctear_space 


visual. h 


Clears a section of the screen 


ciearenv 


envirornm.h 


Removes environment variable from list 


close_database 


database, h 


Closes an open database 


compare_nies 


sums.c 


Returns true if both files are Identical 


compute_checksum 


sums.h 


Computers File Checksum, Length, and SHA-1 


configure 


hostguard.c 


System Configuration Menu 


create__new _group 


grman.c 


Creates a new psuedo group 


curteyC 


filter.c 


Changes letter C to the symbol { 


cursor^hide 


visual, h 


Hides the cursor 


cursor_normal 


visual. h 


Restores cursor to normal 


cursor_slandout 


vtsuat.h 


Bolds the cursor 


deluser 


deluser.c 


Deletes user from system 


detectjilesystem 


filesys.h 


Guesses type of file system 


dialogwinon 


screen, h 


Displays a Text Dialog Box 


directory_scanner 


hostguard.c 


Directory Scanner Menu 


dirscan_report • 


Reporter 
dirscan.c 


Generates a Dlrscan report from recent data 


dlsplay_group 


grman.c 


Displays group list 


d is pla y_g rotip_me n u 


grpmenu.c 


Enters group manager/menu system 


displayjneld 


netman.c 


Displays Inetd entry 


display_lnetd_menu 


inetmenu.c 


Displays inetd configuration 


display_menu 


menu.h 


Displays text menu 


dlsplay_user 


user.h 


Displays a single user 
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display user menu 


usermenu.c 


Displays user menu 


dollars 


filter.c 


Changes letter S to the symbol $ 


edit„user 


user.h 


Edits a single user 


elles 


filter.c 


Changes letter L to the symbol 1 


email_file 


mailer.c . 


Mails file to system administrator 


evaluate 


con fig. c 


"Evaluates" a simple script 


examine„home_dir.. 


homedir.h 


Examines user for security problems 


exclamation 


filter.c 


Adds exclamation point to words In word list 


fa ct2 string 


facts, h 


Converts a FACTS structure to a SIF line 


flleltem 


user.h 


Displays items of file list 


filter 


filter.h 


Generates permutations of a single word 


filtered_check 


hostguard.c 


Launches Password Checker (w/filtering) 


find_dicts 


diets, h 


Locates dictionaries for password cracker 


find_ownership 


owner, h 


Searches for files owned by a single user 


finlshjeport 


report.h 


Generates a Directory Scanner final SIF file 


free_word Itst 


filter.c 


Cleans words from word list In proper manner 


full_automalic 


hostguard.c 


Fufl Examination w/automatic repairs 


full_manual 


hostguard.c 


Full Examination w/manua I repairs 


full_none 


hostguard.c 


Full Examination w/no repairs 


full_report 


hostguard.c 


Composite Examination Menu 


gecos_check 


hostguard.c 


Launches Password Checker (only GECOs) 


genenv 


config.c 


Generates a new ENV entry 


generate_file_tabte 


Reporter 
dirscan.c 


Generates a table of file data from FACTS 


genera te_gecos 


gecos.h 


Generates word permutations from GECOs 


generate_group_table 


Reporter 
dirscan.c 


Generates a table of group data from FACTS 


genera leviable 


Reporter 
dirscan.c 


Generates a table of data from FACTS 


generate_user_table 


Reporter 
dirscan.c 


Generates a table of user data from FACTS 


genkey 


genkey.h 


Generates a Copy Protection Key 


get_file_rights 


ftles.h 


Obtains file's permissions 


gelkey 


cmdline.h 


Reads a single character from Input 


googleO 


filter.c 


Changes letter O to the symbol @ 


goloxy 


visual, h 


Moves cursor to screen location X Y 


group_manager 


grman.c 


Enters group editing system 


homedir_securily 


homedir.h 


Checks general home directory permissions 


Ifenv 


envirornm.h 


Checks to see if environment variable is set 


incrltical 


dirscan.c 


Returns true if file has been flagged critical 


ineld_configuration 


netman.c 


Displays tnetd configuration 


Inetdjiller 


Inetd.h 


Standardizes Inetd entry 


lnitialize_screen 


visual.h 


Initializes terminal display 


Install 


install.h 


Installs HostCHECK software 


Installation 


hostguard.c 


Launches Installation Program 


integ_report 


Reporter 
Integ.c 


Displays a report of vulnerabilities 


integrity_checker 


hostguard.c 


ntegrity Checker Menu 


interrupt_handler 


cmdline.c 


Basic Interrupt Handler Function 


inverse 


visual.h 


Displays text as Inverse 
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certify. tes* 
mail . tes* 
solaris2 . aft* 
solaris2 . opt* 
solaris2 . rel* 



DoD Certification Test 
Mailer System Test Script 
(?) 
(?) 
(?) 



tools I 
4wl .C* 

keys . c* 
makefile* 
weak. c* 



4 Weak Links 

Keystroke Logging/Displaying 
Makefile for weak.c 
Weak Links Prototype 



unrnark : 
clean* 
makefile* 
uhmark . c* 



Removes object files and executables 
Makefile for Unrnark 
Unmark Program 



userman : 
adduser. c* 
clean* 
deluser . c* 
grman. c* 
groups . c* 
grpmenu. c* 
homedir . c* 
lastlog. c* 
makefile* 
owner . c* 
skel . c* 
user .c* 
userman . c* 
usermenu . c* 



Routines to create a new user 

Removes object files and executables 

Routines to delete a user 

Group Manager Routines 

Group handling routines 

Menu for Group Editing 

Home Directory Permissions 

Last Log Examination Functions 

Makefile for User Manager 

Functions to locate file ownership 

Functions to handle Skeleton Directorie 

User handling routines 

User Manager Main Routine 

User Editing Menu 



wipe : 

clean* 

f ilesys . c* 

makefile* 

wipe . bac* 

wipe , c* 

wipe .old: 
clean* 
files .c* 
f ilesys . c* 
makefile* 
wipe . c* 



Removes object files and executables 
Link to File System Library 
Makefile for Wipe 

Backup file for Wipe (NOT Wipe data) 
Wipe Utility 



Removes object files and executables 

Link to Files Library 

Link to File System Library 

Make file for Linux Wipe 

Linux Wipe 



wish: 
wish.hpu* 
wish. lin* 
wish . boI* 



Precompiled Windows Shell for HPUX 
Precompiled Windows Shell for Linux 
Precompiled Windows Shell for Solaris 



xwindows : 
audit. tcl* 
comp . tcl*. 
conf ig. tcl* 
confirm-, tcl* 



Security Audit TCL 
Composite Check TCL 
Configuration TCL 
Confirmation (Yes or No) TCL 
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